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Abstract 

This paper presents a new concept in compiler correctness: instead of proving 
that the compiler performs all of its transformations correctly, the compiler generates 
a proof that the transformed program correctly implements the input program. A 
simple proof checker can then verify that the program was compiled correctly. We 
call a compiler that produces such proofs a credible compiler, because it produces 
verifiable evidence that it is operating correctly. 

Compiler optimizations usually consist of two steps — an analysis step determines 
if it is legal to apply the optimization, and a transformation step applies the optimiza- 
tion to generate a transformed program that computes the same result as the original 
program. Our approach supports this two-step structure. It provides a logic that the 
compiler can use to prove that its program analysis results are correct, and a logic 
that the compiler can use to prove that the transformed program correctly simulates 
the original program. These logics are denned for a standard program representation, 
control flow graphs. This report defines these logics and proves that they are sound 
with respect to a standard operational semantics. It also presents detailed examples 
that demonstrate how a compiler can use the logics to prove the correctness of several 
standard optimizations. 

We believe that credible compilation has the potential to revolutionize the way 
compilers are built and used. Specifically, they will allow programmers to quickly 
determine if the compiler compiled their program correctly, help developers find and 
eliminate bugs in compiler passes, allow large groups of mutually untrusting people 
to collaborate productively on the same compiler, increase the speed with which 
compilers are developed and released, and make it possible to aggressively upgrade 
large, stable compiler systems without fear of inadvertantly introducing undetected 
errors. 



1 Introduction 

Today, compilers are black boxes. The programmer gives the compiler a program, and the 
compiler spits out an inscrutable bunch of bits. Until he or she runs the program, the 
programmer has no idea if the compiler has compiled the program correctly. Even running 



the program offers no guarantees — compiler errors may show up only for certain inputs. 
So the programmer must simply trust the compiler. 

We propose a fundamental shift in the relationship between the compiler and the pro- 
grammer. Every time the compiler transforms the program, it generates a proof that the 
transformed program produces the same result as the original program. When the com- 
piler finishes, the programmer can use a simple proof checker to verify that the program 
was compiled correctly. We call a compiler that generates these proofs a credible compiler, 
because it produces verifiable evidence that it is operating correctly. 

We believe that credible compilation has the potential to revolutionize the way com- 
pilers are built and used. Instead of having to accept whatever the compiler generates on 
blind faith, programmers will be able to verify that the compiler compiled their program 
correctly. Credible compilers will also help developers find and eliminate bugs in compiler 
passes, allow large groups of mutually untrusting people to collaborate productively on 
the same compiler, make it possible to aggressively upgrade large, stable systems without 
fear of inadvertantly introducing undetected errors, promote the use of compilers that are 
customized for specific application domains, shrink the length of the compiler development 
cycle by making it practical to use buggy compilers, and make the use of compilers that 
do not produce correctness proofs a successful basis for product liability claims. 
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Figure 1: Traditional Compilation 
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Figure 2: Credible Compilation 



Figures 1 and 2 graphically illustrate the difference between traditional compilation and 
credible compilation. A traditional compiler generates a compiled program and nothing 
else. A credible compiler, on the other hand, also generates a proof that the compiled 
program correctly implements the original program. A proof checker can then take the 
original program, the proof, and the compiled program, and check if the proof is correct. 
If so, the compilation is verified and the compiled program is guaranteed to correctly 
implement the original program. If the proof does not check, the compilation is not verified 
and all bets are off. 

This paper introduces the basic techniques required to build credible compilers for 



standard programming languages such as C and Java. The organization is as follows. 
Section 2 presents an example that illustrates the basic concepts of standard invariants, 
which are used to prove that program analysis results are correct, and simulation invariants, 
which are used to prove that a transformed program generates the same result as the 
original program. Section 3 presents the technical core of the paper: the logics used to 
prove standard invariants and simulation invariants, and the proofs that these logics are 
sound. Section 4 presents a running example that shows how to generate correctness 
proofs for several standard transformations. Section 5 discusses some anomalies associated 
with proving that loops terminate, Section 6 discusses issues related to code generation, 
and Section 7 discusses related work. Section 8 discusses the potential impact of credible 
compilation. We present our conclusions in Section 9. 



2 Example 



In this section we present an example that explains how a credible compiler can prove that 
it performed a translation correctly. Figure 3 presents the example program represented 
as a control flow graph. The program contains several assignment nodes; for example the 
node 5 : z <h- i + x + y at label 5 assigns the value of the expression i + x + y to the variable 
i. There is also a conditional branch node 4 : br i < 24 . Control flows from this node 
through its outgoing left edge to the assignment node at label 5 if i < 24, otherwise control 
flows through the right edge to the exit node at label 7. 



1 :i<-0 






2 :x^l 






3:y^2 




1 :i<-0 






2 :x^l 




3:y^2 




5 :i^i + 3 






6 : g «— 2 *i 



7 : exit 




Figure 3: Original Program 



Figure 4: Program After Constant Propa- 
gation and Constant Folding 



Figure 4 presents the program after constant propagation and constant folding. The 
compiler has replaced the node 5 : z <h- i + x + y at label 5 with the node 5 : i <— i + 3 . The 
goal is to prove that this particular transformation on this particular program preserves the 
semantics of the original program. The goal is not to prove that the compiler will always 
transform an arbitrary program correctly. 

To perform this optimization, the compiler did two things: 



• Analysis: The compiler determined that x is always 1 and y is always 2 at the 
program point before node 5. So, x + y is always 3 at this program point. 

• Transformation: The compiler used the analysis information to transform the pro- 
gram so that generates the same result while (hopefully) executing in less time or 
space or consuming less power. In our example, the compiler simplifies the expression 
x + y to 3. 

Our approach to proving optimizations correct supports this basic two-step structure. 
The compiler first proves that the analysis is correct, then uses the analysis results to 
prove that the original and transformed programs generate the same result. Here is how 
this approach works in our example. 

2.1 Proving Analysis Results Correct 

Many years ago, Floyd came up with a technique for proving properties of programs [4]. 
This technique was generalized and extended, and eventually came to be understood as a 
logic whose proof rules are derived from the structure of the program [2]. The basic idea 
is to assert a set of properties about the relationships between variables at different points 
in the program, then use the logic to prove that the properties always hold. If so, each 
property is called an invariant, because it is always true when the flow of control reaches 
the corresponding point in the program. 

In our example, the key invariant is that at the point just before the program exe- 
cutes node 5, it is always true that x = 1 and y = 2. We represent this invariant as 
(x = 1 A y = 2)5. Section 3.3 presents a logic that the compiler can use to prove such in- 
variants. In effect, this logic allows the compiler to construct proofs by induction on the 
length of the partial executions of the program. 

In our example, the simplest way for the compiler to generate a proof of (x = 1 A y = 2)5 
is for it to generate a set of invariants that represent the analysis results, then use the logic 
to prove that all of the invariants hold. Here is the set of invariants in our example: 

• (x = 1)3 

• (x = 1 A y = 2)4 

• (x = 1 Ay = 2)5 

• (x = 1 A y = 2)6 

Conceptually, the compiler proves this set of invariants by tracing execution paths. 
The proof is by induction on the structure of the partial executions of the program. For 
each invariant, the compiler first assumes that the invariants at all preceding nodes in the 
control flow graph are true. It then traces the execution through each preceding node 
to verify the invariant at the next node. We next present an outline of the proofs for 
several key invariants. The compiler can use the logic presented in Section 3.3 to produce 
machine-verifiable versions of these proofs. 

• (x = 1)3 because the only preceding node, node 2, sets x to 1. 



• To prove (x = 1 A y = 2)4, first assume (x = 1)3 and (x = 1 A y = 2)6. Then con- 
sider the two preceding nodes, nodes 3 and 6. Because (x = 1)3 and 3 sets y to 2, 
(x = 1 A y = 2)4. Because (x = 1 A y = 2)6 and node 6 does not affect the value of 
either x or y, (x = 1 A y = 2)4. 

In this proof we have assumed that the compiler generates an invariant at almost all of 
the nodes in the program. More traditional approaches use fewer invariants, typically one 
invariant per loop, then produce proofs that trace paths consisting of multiple nodes. The 
logic presented in Section 3.3 supports both styles of proofs. 

2.2 Proving Transformations Correct 

When a compiler transforms a program, there are typically some externally observable 
effects that it must preserve. A standard requirement, for example, is that the compiler 
must preserve the input/output relation of the program. In our framework, we assume 
that the compiler is operating on a compilation unit such as procedure or method, and 
that there are externally observable variables such as global variables or object instance 
variables. The compiler must preserve the final values of these variables. All other variables 
are either parameters or local variables, and the compiler is free to do whatever it wants 
to with these variables so long as it preserves the final values of the observable variables. 
The compiler may also assume that the initial values of the observable variables and the 
parameters are the same in both cases. 

In our example, the only requirement is that the transformation must preserve the final 
value of the variable g. The compiler proves this property by proving a simulation corre- 
spondence between the original and transformed programs. To present the correspondence, 
we must be able to refer, in the same context, to variables and node labels from the two 
programs. We adopt the convention that all entities from the original program P will have 
a subscript of P, while all entities from the transformed program T will have a subscript 
of T. So ip refers to the variable i in the original program, while ip refers to the variable i 
in the transformed program. 

In our example, the compiler proves that the transformed program simulates the original 
program in the following sense: for every execution of the original program P that reaches 
the final node 7p, there exists an execution of the transformed program T that reaches the 
final node It such that gp at lp = gp at lp. We call such a correspondence a simulation 
invariant, and write it as (gp)7 P > (gp)7 T . In Section 3.4 we present a logic that the 
compiler can use to prove simulation invariants. 

The compiler typically generates a set of simulation invariants, then uses the logic to 
construct a proof of the correctness of all of the simulation invariants. The proof is by 
induction on the length of the partial executions of the original program. We next outline 
how the compiler can use this approach to prove (gp)7 P > (gp)7 T . First, the compiler is 
given that (g P )l P > (gp)lp — in other words, the values of g P and g T are the same at the 
start of the two programs. The compiler then generates the following simulation invariants: 

• ((^p,«p))2p > {(g T ,ip))2 T 

• {(9p,ip))3p > {(gr,ir))3T 

• {(gp,ip)Hp > ((^t,«t))4 t 



• {(gp,ip))5p > <(^t,«t))5t 

• {(9p,ip))6p > {(gr,ir))6T 

• (g P )7p > (g T )7 T 

The key simulation invariants are (gp)7 P > (<?t)7tj ((gp,ip))6p > ((<?tj2t))6t and 
((g P ,ip))4 P > ((g T ,i T ))4 T . We next outline the proofs of these two invariants. The com- 
piler can use the logic presented in Section 3.4 to produce machine-verifiable versions of 
these proofs. 

• To prove (gp)lp > (<?t)7t, first assume that {(gp, ip))4 P > ((gr, «r))4r- For each path 
to lp in P, we must find a corresponding path in T to lp such that the values of gp 
and gr are the same in both paths. The only path to lp goes from 4 P to lp when 
i P > 24. The corresponding path in T goes from 4 T to 7 T when z T > 24. Because 
((<?P)2p))4p > ((#p, z r ))4 T , control flows from 4 T to 7 T whenever control flows from 
4p to lp. The simulation invariant ((gp,ip))4 P > ((g T ,i T ))4 T also implies that the 
values of gp and gr are the same in both cases. 

• To prove {(g P ,i P ))6 P > {(g T ,i T ))6 T , assume {(g P ,i P ))5 P > ((#t,«t))5t- The only 
path to 6p goes from 5p to 6p, with ip at 6p = ip at 5p + rep at 5p + yp at 5p. The 
analysis proofs showed that xp at 5p + yp at 5p = 3, so ip at 6p = ip at 5p + 3. The 
corresponding path in T goes from 5 T to 6 T , with i T at 6 T = z T at 5 T + 3. 

The assumed simulation invariant {(gp, ip))5p > ((gr, «r))5p allows us verify a corre- 
spondence between the values of i P at 6 P and z T at 6p; namely that they are equal. 
Because 5 P does not change g P and 5 T does not change g T , gp at 6p and g T at 6p 
have the same value. 

• To prove {(g P ,i P ))4 P > ((g T ,i T ))4 T , first assume {(g P ,i P ))3 P > ((#t,«t))3t and 
((g P ,ip))6p > ((gr, «r))6r- There are two paths to 4 P : 

— Control flows from 3p to 4 P . The corresponding path in T is from 3 T to 4 T , 
so we can apply the assumed simulation invariant ((g P ,ip))3p > ((fi , r ) «r))3r to 
derive gp at 4p = ^ T at 4 T and ip at 4p = i T at 4p. 

— Control flows from 6 P to 4 P , with g P at 4 P = 2 * z P at 6p. The corresponding 
path in T is from 6p to 4 T , with g T at 4p = 2 * z T at 6p. We can apply the 
assumed simulation invariant ((gp,ip))6p > ((<?t,«t))6t to derive 2 * i P at 6p 
= 2 * z T at 6 T . Since 6 P does not change i P and 6 T does not change i T , we can 
derive g P at 4 P = ^ T at 4 T and i P at 4 P = i T at 4 T . 

3 Logical Foundations 

In this section we present the logical foundations of credible compilation. We formally 
define a program representation based on control flow graphs and define an operational 
semantics for this representation. We present the logic used to prove standard invariants 
and prove that this logic is sound. We also present the logic used to prove simulation 
invariants and prove that this logic is sound. 



3.1 Program Representation 

We propose that compiler passes use a common intermediate representation based on con- 
trol flow graphs. It is possible, of course, to write translators between intermediate represen- 
tations so that passes that use specialized or merely different intermediate representations 
can participate. In this section we define a simple intermediate representation that we use 
to present the major ideas and concepts in the remainder of the paper. We expect that a 
practical implementation would require a more elaborate intermediate representation. 

We start with expressions e and conditions c. For simplicity we assume the program 
computes on integer values; we denote the set of integers by z € Z. We also assume disjoint 
sets of local variables / € L and externally observable variables o € O; the set of variables 
vEV = LuOis the union of these two sets. Variables have integer values and expressions 
evaluate to integers. The following abstract syntax defines the set of expressions e. 



e ::= Z\V\e + e\e 44>e|e * e\e/e\e%e\ 44>e| 

true|false|e = e\e ^ e\e > e\e > e\e < e\e < e|— >e|e A e\e V e\e => e\e 44> e 

In some cases, we interpret an expression as a condition c whose value is true or false. 
We adopt the C convention that a condition is true if its value is not zero, and false if its 
value is zero. In the expression grammar above, true is 1 and false is 0. 

Each control flow graph is composed of a set of nodes. Each node has its own label; 
these labels are used to determine the flow of control between nodes. Each node is one of 
the following types: 

• Assignment: An assignment node s : v <— e t has its label s, a variable v, an 
expression e and a label t. When the node executes, it evaluates e and assigns the 
value to v. Execution continues at the node whose label is t. 

• Conditional Branch: A conditional branch node s : br c t\ t 2 has its label s, a 
condition c and two labels t\ and t 2 . When the node executes, it evaluates c. If 
c is true, execution continues at the node whose label is t\. Otherwise, execution 
continues at the node whose label is t 2 - 

• Nop: A nop node s : nop t has its label s and another label t. When the node 
executes, execution continues at the node whose label is t. 

• Exit: The exit node s x : exit is the last node in the graph. 

There is a unique entry node with label sq and a unique exit node with label s x . We require 
that there be a path from the entry node to the exit node, and that no two distinct nodes 
have the same label. 

We use the notation that s : v ^— e t is true if there exists an assignment node with 
label s, variable v, expression e and label t in the control flow graph, and false otherwise. 
Also, s : br c t\ t 2 is true if there is a conditional branch node in the control flow graph 
with label s, condition c, and labels t\ and t 2 in the program, and false otherwise, and 
similarly for nop and exit nodes. We use this notation to define the set of predecessors of 
a node in the control flow graph: 



Definition 1 Given a label t, the set of predecessors of t is the set of all labels of nodes 
from which control may flow directly to t: 

pred(t) = {s\s : v <— e t} U {s\s : nop t} U {s\s : br c 1 1'} U {s\s : br c t' t} 

We require that the entry node s have no predecessors, i.e., pred(s ) = 0. Also note 
that the exit node has no successors, i.e. for all s, s x ^ pred(s). 

3.2 Operational Semantics 

We next present a simple operational semantics for control flow graphs. The semantics 
uses configurations (s,m), which consist of the label s of the next node to execute and 
a memory m : V — > Z that maps each variable to its value. We start by extending the 
domain of the memory function m to constants and expressions as shown in Figure 5. 



m(z) = z 

m{e\ + e 2 ) = m{e\) + m(e 2 ) 

m(ei 44>e 2 ) = m(ei) 44>m(e 2 ) 

m{e\ * e 2 ) = m(ei) * m(e 2 ) 

m(ei/e 2 ) = m(ei)/m(e 2 ) 

m(ei%e 2 ) = m(ei)%m(e 2 ) 

m(44e) = 44m(e) 

m(true) = true 

m (false) = false 

m(ei = e 2 ) = m(ei) = m(e 2 ) 

m(ei > e 2 ) = m(ei) > m(e 2 ) 

m(ei > e 2 ) = m(ei) > m(e 2 ) 

m(ei < e 2 ) = m(ei) < m(e 2 ) 

?7i(ei < e 2 ) = m(ei) < m(e 2 ) 

m(-ie) = -im(e) 

m(ci A c 2 ) = m(ci) A m(c 2 ) 

m(ci V c 2 ) = m(ci) V m(c2) 

m{c\ => c 2 ) = m(ci) => m(c 2 ) 

m(ci 44> c 2 ) = m(ci) 44> m(c 2 ) 

Figure 5: Extending m to Constants and Expressions 

The operational semantics is defined using a transition function — > which maps each 
configuration (s,m) to its successor configuration (s',m'). The successor configuration is 
obtained by executing the node at label s in the context of memory m. Figure 6 presents 
the rules that define the transition function. In the initial memory m , local variables have 
value and observable variables have arbitrary values. 

We use the operational semantics to define the concept of a partial execution of a control 
flow graph. A partial execution starts at the entry node in the graph, and executes part of 
the computation. 

Definition 2 A partial execution of a control flow graph is a sequence of configurations 



s : v <— e t 
(s,m) — > (£, m[ti i— > w-(e)]) 

s : nop £ 



op-assign 


(1) 


op-nop 


(2) 


op-brtrue 


(3) 


op-brfalse 


(4) 



(s, m) — >■ (£, m) 

s : br c t\ £2, m(c) 
(s, m) — >■ (ti, m) 

s : br c t\ £2, ->m(c) 
{s,m) -> (t 2 ,m) 

Figure 6: Operational Semantics 

(so, mo) —>•••—> (s n ,m n ) in which each configuration (sj+i, mj+i) zs i/ie successor of the 
preceding configuration {si,rrii) in the sequence. 

3.3 Standard Invariants 

We next present the logic that the compiler can use to construct proofs that its analysis 
results are correct. The logic consists of a set of proof rules; these rules are a version of 
the standard Floyd-Hoare proof rules adapted for control flow graphs. The rules operate 
on several types of invariants: 

• (i)s: the condition i is always true at the program point before the execution of the 
node whose label is s. 

• s(i)t: the condition i is always true at the program point before the execution of the 
node whose label is t, if control flowed directly to t from s. 

• (i)s ■ t: the condition i is always true at the program point before the execution of 
the node whose label is s, if control will flow next to t. 

The proof rules assume a set / of invariants; we require that invariants of the form s(i)t 
or (i)s ■ t do not appear in i". Figure 7 presents the rules. We assume the existence 
of a logic for proving standard relationships between integers such as 2; < z + 1 and 

x<4Ay<3^>x + y<7. 

3.3.1 Proof Trees 

Proofs consist of a tree whose nodes are rule uses. One rule use is a child of another rule use 
if the consequent of the first rule use is an antecedent of the second rule use. Contrary to 
computer science custom (but consistent with nature), proof trees are customarily drawn 
with each parent node below its children. There is a partial order defined on the rule uses 
— a first use precedes a second use if the second use appears on the path from the first use 
to the root. The last rule in the proof tree is therefore the root. 



pred(t) ^ 0, Vs e pred(t). 7 h s(z)t 





/ h (z)t 




s 


: nop t, I \- (i)s ■ t 






I \- s(i)t 




s : t; 


<r- e t, I h (z[e/'y])s • 


t 




/ h s(z)t 




s : br 


c t\ t2, 1 \~ (c => i)s ■ 


h 




I \- s(i)t! 




s : br c 


; t\ t 2 , 1 \- (-ic => i)s 


■h 




/ h s(z)t 2 






/ h (i)s 






I\-(i)s-t 






(i')s e I,i' =>i 






I\-(i)s-t 






i 





I \- {i)s 
Figure 7: Proof Rules for Standard Invariants 



std-pred (5) 

std-nop (6) 

std- assign (7) 

std-brtrue (8) 

std-brfalse (9) 

std-seq (10) 

std-induction (11) 

std-base (12) 
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(x = lAy = 2)6 e I x=lAy=2^x=lAy=2 
6 : g ^2*i4 I h {x = 1 Ay = 2)6 ■ 4 

Ih6{x = lAy = 2)4 

Figure 8: Full Proof Tree for I \- 6{x = 1 A y = 2)4 

{x = lAy = 2)6e I 

I \- {x = 1 A y = 2)6 • 4 

Ih6{x = 1 Ay = 2)4 

Figure 9: Abbreviated Proof Tree for i" h 6(ic = 1 A y = 2)4 

(a; = 1)3 £ 7 {x = 1 A y = 2)6 e I 

IV- (x = 1 A2 = 2)3-4 7 h g = 1 A y = 2)6 • 4 
J h 3{a = 1 Ay = 2)4 I\-6(x = 1 A y = 2)4 
7 h (a; = 1 A y = 2)4 

Figure 10: Abbreviated Proof Tree for I\-(x = lAy = 2)4 

Figure 8 presents the proof tree for 7 h 6(x = 1 A y = 2)4. To save space on the page, 
from now on we present proof trees in abbreviated form. This form omits details such as 
antecedents that are references to nodes in the control flow graph or trivial implications. 
Figure 9 presents the abbreviated proof tree for 7 h 6(x = 1 A y = 2)4. Figure 10 presents 
the abbreviated proof tree for I h (x = 1 A y = 2)4. In these proof trees, 

I = {{x = 1)3, { x = lAy = 2)4, { x = lAy = 2)5, (x = 1 A y = 2)6} 

3.3.2 Soundess of Proof Rules for Standard Invariants 

We next prove a key soundness theorem: that if there exists a proof of all of the invariants 
in I, then the invariants correctly reflect the relationships during the execution of the 
program. We first prove a lemma used in the theorem, then prove the theorem itself. 

Lemma 1 Assume for all (i)s e I, I h (i)s. Also assume a proof of I h (i)s ■ t and a 
partial execution (so,m ) —>•••—> (s, m) such that I h (i')s implies m(i') is true. Then 
m{i) is true. 

Proof: We do a case analysis of the last rule in the proof of I h (i)s ■ t. Rules 10 and 11 
are the only rules of the correct form. 

• The last rule in the proof is rule 10. In this case we have a proof of I h (i)s, and by 
assumption m(i) is true. 

• The last rule in the proof is rule 11 with (i')s € I and i' => i, which implies m(i') => 
m{i). By assumption (i')s € I implies I h (i')s, which implies m{i') is true. We can 
therefore simplify m{i') => m{i) to m{i) is true. 

11 



Theorem 1 Assume for all standard invariants (i)s € I, I h (i)s. Then I h (i)t and 
(s , m ) —>•••—> (t, m) implies m{i) is true. 

Proof: Induction on the length of the partial execution (s , m ) —>•••—> (£, m). 

Base: In this case t = s , which implies pred(t) = 0. The proof is therefore a use of rule 

12 with i, which implies m{i) is true. 

Induction: In this case the partial execution is at least one step long, so we can write it 

as (so, mo) — > • • • (s, m') — > (£, m) for some s € pred(t). We do a case analysis of the last 

rule in the proof of I h (z)t. Rules 12 and 5 are the only rules of the correct form. 

• The last rule is 12 with i, which implies m(i) is true. 

• The last rule is 5. Because s € pred(t), there is a proof of I h s(i)t. We do a case 
analysis of the last rule in this proof. Rules 6, 7, 8 and 9 are the only rules of the 
correct form. 

— The last rule is 6, with s : nop t. Then m = m' and we have a proof of / h (i)s-t. 
By Lemma 1, m{i) is true. 

— The last rule is 7, with s : v <— e t. Then m = m'[v i— > m'(e)] and we have a 
proof of / h («[e/ii])s • t. By Lemma 1, 777/(7 [e/?j]) is true, which we can rewrite 
as m'[v i— » m'(e)](i) is true, then simplify to m(i) is true. 

— The last rule is 8, with s : br c £ t', m! = m, and m'(c) is true, and there is a 
proof of 7 h (c => i)s • t. By Lemma 1, m'(c ^ i) is true, which we can simplify 
to m'(c) => m'(i), then to m(z) is true. 

— The last rule is 9, with s : br c t' t, m! = m, and m'(c) is false, and there is 
a proof of / h (-ic => i)s • t. By Lemma 1, m'(-ic => i) is true, which we can 
simplify to m'(-ic) => m'(i), then to m(i) is true. 

3.4 Simulation Invariants 

We next present the logic that the compiler uses to prove simulation invariants between 
two programs P and T. We assume that P and T are two disjoint control flow graphs with 
entry nodes s^ and s^ and initial memories m^ and tuq, respectively. We also assume sets 
{of, . . . , o^} and {oj , . . . , o^} of externally observable variables and that corresponding 
externally observable variables have the same values at the start of the program — i.e., 
m^ (of ) = 171q(oJ) for 1 < i < n. 

For purposes of presentation, we adopt the convention that P is the original program 
and T is the transformed program, although of course the logic imposes no constraint on 
the origin of the two programs. Simulation invariants consist of two partial simulation 
invariants that together express a simulation relationship between the partial executions 
of the programs. For example, (ci,ei)si > (c2,e2)s2 is true if for all partial executions 
of P that reach s\ with the condition c\ true, there exists a partial execution of T that 
reaches S2 with c<i true such that e\ = 62- Like the logic for standard invariants presented 
in Section 3.3, the logic for simulation invariants uses multiple labels to express how the 
flow of control affects relationships between the two programs. 

Definition 3 A partial simulation invariant p has the form (c,e)t, s{c,e)t or (c,e)s ■ t, 
where c is a condition and e is an expression. 
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We adopt the convention that a partial simulation invariant of the form (e)t, s(e)t, or 
(e)s ■ t denotes, respectively, (true, e)t, s(true, e)t, or (true, e)s ■ t. 

Definition 4 A simulation invariant has the form p\ > p 2 , where p\ and p 2 are partial 
simulation invariants. 

Figures 11, 12, and 13 present the proof rules. Each proof propagates the partial 
simulation invariants against the flow of control through the two programs. Eventually, 
the partial simulation invariants reach program points where it is possible to terminate the 
proof by applying rule 13 or rule 14. The rules in Figure 12 propagate the partial simulation 
invariant from the original program; the rules in Figure 13 propagate the partial simulation 
invariant from the transformed program. 

The proof rules all refer to a set / of invariants. In general, this set will contain 
both standard invariants of the form (c)s and simulation invariants of the form (ci,ei)si > 
(c 2 , e 2 )s 2 . We require that it does not contain simulation invariants whose partial simulation 
invariants are of the form s(c, e)t or (c, e)s ■ t. 

The proof rules illustrate a key difference between the treatment of the original and 
transformed programs. Rule 15 requires that the simulation invariant hold on all paths 
in the original program. Rule 22 requires only that the simulation invariant hold on one 
path in the transformed program. This difference reflects the asymmetry in the implicit 
quantifiers of the simulation invariant, which is true if for all paths in the original program, 
there exists a path in the transformed program that satisfies the appropriate conditions. 



(°i, ■■■,<%) = (°T> • • • , oD A ci ^ c 2 A e x = e 2 
/ h {ci,ei)sQ > (c 2 ,e 2 )sQ 



base (13) 



I h (ii)si, I h (i 2 )s 2 , (c' l5 e'^si > (c' 2 , e' 2 )s 2 <G i", 
i\ A gi => c' x , i\ A i 2 A c\ A e\ = e 2 => (c 2 Agi= e 2 ) induction (14) 



/ \- (ci,ei)si -t > {c 2 ,e 2 )s 2 
Figure 11: Simulation Invariant Base and Induction Proof Rules 



3.4.1 The Simulation Condition 

To prove that the transformed program simulates the original program, the compiler gen- 
erates a set of invariants / and a proof of each invariant. We require one of the invariants 
to state that the transformed program preserves the values of the externally observable 
variables. We formalize this concepts as follows: 

Definition 5 A transformed program T simulates an original program P if there exists a 
set of invariants I such that 

• for all standard invariants (i)s € I, I h {i)s, 

• for all simulation invariants (ci,ei)si > (c 2 ,e 2 )s 2 E I, I \- {c\,ei)si > (c 2 ,e 2 )s 2 , and 
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pred(t) ^ 0, Vs <G pred(t). 7 h s(c, e)t > p 
7 h (c, e)t > p 

s : nop t, I \- (c, e)s ■ t > p 



I h s{c,e)t > p 

s : v ^ e' t,I \- {c[e'/v],e[e'/v])s -t> p 
I \- s(c,e)t > p 

s : br d t\ t 2 , I \~ (c Ad,e)s ■ t\> p 
I \- s(c, e)t\ > p 

s : br d t\ t 2 , 7h(cA -id, e)s ■ t 2 > p 
I h s{c,e)t2 > p 



orig-pred (15) 

orig-nop (16) 

orig-assign (17) 

orig-brtrue (18) 

orig-brfalse (19) 



/ h (ci, e)s • t > p, / h (c 2 , e)s ■ t > p, c =» d V c 2 , . 



/ h (c, e)s > p 



I \- {c,e)s -t> p 
Figure 12: Proof Rules for the Original Program P 



orig-step (21) 



3s e 


pred(t). I \- p> s(c, e 


l)t 




I \- p> (c,e)t 




s : 


nop t, I \- p > (c, e)s 






I \- p> s(c,e)t 




s : t; <— e 


't,I\-p> {c[e'/v],e[e'/v\)s 




I \- p> s(c,e)t 




s : br ( 


'! ti t 2 ,I \~ p> {cAd, 


e)s 




I \- p\> s(c, e)t\ 




s : br c' 


' ti t 2 ,I \~ P> (C A -nc' 


',e)s 



I \- p> s{c, e)t 2 
Figure 13: Proof Rules for the Transformed Program T 
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trans-pred (22) 

trans-nop (23) 

trans-assign (24) 

trans-brtrue (25) 

trans-brfalse (26) 



• the simulation invariant ((of, . . . , o^))sf > ((of , . . . , o^))sf € I, where {of, . . . , o^} 
and {of, . . . , o^} are sets 0/ corresponding externally observable variables, sf is the 
exit node in P, and sf is the exit node in T. 

3.4.2 Standard Form Proofs of Simulation Invariants 

We next introduce the concept of a standard form for proofs of simulation invariants. This 
standard form simplifies the presentation of the soundness proofs. A standard form proof 
has the following structure. Each leaf in the proof tree is a use of rule 13 or 14. Along 
each path in the proof tree from the leaves towards the root, the proof first uses rules 22 
through 26 to propagate the partial simulation invariant from the transformed program 
through the program. Note that in this phase of the proof tree, each rule use has exactly 
one child. Next, uses of rules 15 through 21 appear on the path. These uses propagate the 
partial simulation invariant from the original program P. Because the proof must verify 
the simulation invariant for all paths in the original program, uses of rule 5 will have one 
child for each predecessor of the corresponding node in the control flow graph. 

Definition 6 A proof of a simulation invariant is in standard form if all uses of rules 22 
through 26 precede all uses of rules 15 through 21. 

Theorem 2 If I h p L > p 2 , then there exists a proof of I h p L >p 2 that is in standard form. 

Proof: Induction on the depth of the proof of / h pi > p 2 . 

Base: The proof is a use of rule 13 or 14. By definition of standard form, the proof is in 

standard form. 

Induction Step: We assume that the proof is in standard form except for the last rule, 

then find an equivalent proof in standard form. We do a case analysis of the last rule. 

• The last rule is one of 15 through 21. By definition of standard form, the proof is in 
standard form. 

• The last rule is one of 22 through 26. The proof is in standard form unless the 
next-to-last rule is one of 15 through 21. We do a case analysis on the next-to-last 
rule. 

— The next-to-last rule is 21 or one of 16 through 19. Then the proof is of the 
form: 

TV 



/ I- Pi > P' 2 
I \~ Pl > p 2 

We can switch the last two rules of the proof to obtain the following equivalent 
proof: 

1 1- p[ > p 2 
1 \- pi > p 2 
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By the induction hypothesis, we can obtain an equivalent standard form proof 
7r' for the proof 



I I" P'l > P 2 



/ h pi > p 2 
The following proof is then in standard form: 



tt' 



7 h pi > p 2 
The next-to-last rule is 15. Then the proof is of the form: 

7 h Pi > p 2 ■ ■ ■ I \~ Pi> p' 2 



I \~ pi > p 2 



I \- Pl > p 2 

We can push the last rule of the proof through rule 15 to convert the proof to 
an equivalent proof of the form: 



I L Pl > P 2 ^ L gl > ^2 

J h p] > p 2 • • • J \~ Pi > p 2 

7 I- Pi > p 2 

By the induction hypothesis, we can obtain a standard form proof 7r 2 ' for each of 
the proofs 

7u 



7 I- pl > p 2 
7 h p\ > p 2 

then use these standard form proofs to construct the following standard form 
proof of 7 h pi > p 2 : 

< • • • < 

I r- Pi > p 2 
The next-to-last rule is 20. Then the proof is of the form: 

7[l 7T2 

7 h (ci,e)s • £ Op' J h (c 2 ,e)s ■ t > p' c => Ci V c 2 
J h (c, e)s • £ >p' 



7 h {c,e)s -tt> p 

We can push the last rule of the proof through rule 20 to convert the proof to 
an equivalent proof of the form: 

7Ti 7T 2 



7 h (ci, e)s • £ > p' 7 h (c 2 , e)s -t> p' 
I \- (ci, e)s -top 7 h (c 2 , e)s -top c => ci V c 2 
7 h {c,e)s -t> p 
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By the induction hypothesis, we can obtain standard form proofs ir[ and 7r 2 for 
the two proofs 

I \- (ci,e)s ■ t > p' I \- {c 2 ,e)s -t> p' 
I \- (ci, e)s ■ t > p IV- (c 2 , e)s ■ t > p 

then use these standard form proofs to construct the following standard form 
proof of I V- pi > p 2 : 

7r[ 7r 2 c => c\ V c 2 



I r- pi > p 2 

3.4.3 Soundness of Proof Rules for Simulation Invariants 

We next show that the proof rules for simulation invariants are sound. We first prove two 
lemmas, then the theorem. 

Lemma 2 Assume that for all (i)s G I, I V- (i)s and for all {ci,e\)si > (c 2 ,e 2 )s 2 G /, 
I V- (ci,ei)si > (c 2 ,e 2 )s 2 . Assume a standard form proof of I V- p\> (c 2 ,e 2 )s 2 whose last 
rule is one of 13, 14 or 22, where p = (ci, ei)si or p = (ci, ei)si • t. Also assume a partial 
execution {sq,ttIq) —>•••—> (si,mi) such that m\(c\) is true. If p = (ci,ei)si • t, a/so 
assume that I V- {d,e')s\ > (c,e)s and mi(c') «5 true implies that there exists a partial 
execution (sq,171q) — > ••• — > (s,m) such that m(c) is true and mi(e') = m(e). T/ien 
i/iere exisfo a partial execution (sq,171q) —>•••—> (s 2 ,m 2 ) such that m 2 (c 2 ) is true and 
mi(ei) =m 2 (e 2 ). 

Proof: Induction on the length of the proof of / h p > (c 2 , e 2 )s 2 . 

Base: The proof consists of a use of either rule 13 or rule 14. We do a case analysis of this 

rule. 

• The proof is a use of rule 13 with (of, . . . , o^) = (oj, . . . , o^) => c 2 A e\ = e 2 . Then 
mi = m^ and m 2 = m^, which implies mi(ei) = m 2 (e 2 ) and m-i(ci) => m 2 (c 2 ). 
Because m\(c\) is true, m 2 (c 2 ) is true. 

• The proof is a use of rule 14 with p = (ci, e\)si ■ t, I V- {ii)s\, I V- (i 2 )s 2 , (c[, e[)si > 
(c' 2 , e' 2 )s 2 G /, i\ A C\ => c' x and i\ l\i 2 l\C\ l\ e[ = e 2 => (c 2 A ei = e 2 ). By assumption 
mi(ci) is true, by Theorem 1 mi(ii) is true, so i\ A c\ => c' x implies mi(c' 1 ) is true. 
By assumption, (c^e'^Si > (c' 2 ,e' 2 )s 2 G / implies that / h (c^e^Si > (c' 2 ,e 2 )s 2 , so 
there exists a partial execution {sq, tUq) —>•••—> (s, m) such that m(c' 2 ) is true and 
m i( e i) = m ( e 2)- By Theorem 1 m(ii) is true. Let m 2 = m. Then i\ A i 2 A c\ A 
e[ = e 2 => (c 2 A ei = e 2 ) implies mi(ii) A m 2 (i 2 ) A m\(c\) A mi(e' 1 ) = m 2 (e 2 ) => 
(m 2 (c 2 ) A mi(ei) = m 2 (e 2 )), which can be simplified to obtain m 2 (c 2 ) is true and 
mi(ei) = m 2 (e 2 ). 

Induction: We do a case analysis of the last rule of the proof. Because the proof is at 
least two rules deep, the last rule cannot be rule 13 or 14. So the last rule must be 22. In 
this case there is standard form proof of I \- p > s(c 2 , e 2 )s 2 . We do a case analysis of the 
last rule of this proof. Because the proof is in standard form, rules 23, 24, 25, and 26 are 
the only possibilities. 
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• The last rule is 23 with s : nop s 2 . There is a standard form proof tt of I h p>(c 2 , e 2 )s. 
Consider the last rule in it. Because this proof can be extended using rule 23, then rule 
22 to a standard form proof of / h p> (c 2 , e2)s2, the last rule in tt is not one of rules 15 
through 21. The only other rules that are of the correct form are rules 13, 14, and 22. 
By the induction hypothesis, there exists a partial execution {sq, tUq) —>•••—> (s, m) 
such that m(c 2 ) is true and mi(ei) = m(e 2 ). We can extend this partial execution 
to a partial execution (s^,7?7^} —>•••—> (s, m) — » (s 2 ,m 2 ), where m 2 = m. Then 
777-2(02) is true and mi(ei) = 777-2(62). 

• The last rule is 24 with s : v <— e s 2 . There is a standard form proof tt of / h 
p> (c 2 [e/?j], e 2 [e/?j])s. Consider the last rule in it. Because this proof can be extended 
using rule 24, then rule 22 to a standard form proof of / h p > (c 2 ,e 2 )s 2 , the last 
rule in n is not one of rules 15 through 21. The only other rules that are of the 
correct form are rules 13, 14, and 22. By the induction hypothesis, there exists a 
partial execution {s^, m^) —>•••—> (s, m) such that 7?7(c2[e/?j]) is true and 7?7i(ei) = 
777(e2[e/?j]). We can extend this partial execution to a partial execution (s^,7?7^) — >• 
• • • — > (s, m) — > (s 2 , 7772), where 7772 = 777[?j i— > 777(e)]. We can then simplify 777(c2[e/?j]) 
is true to 777[?j i— > 777(e)] (02) is true, then to 7772(02) is true. Similarly, we can simplify 
7?7i(ei) = 777(e 2 [e/?j]) to 777i(ei) = m 2 (e 2 ). 

• The last rule is rule 25 with s : br c s 2 t. There is a standard form proof of 
I \- p > (c 2 A c,e 2 )s whose last rule is 13, 14, or 22. By the induction hypothesis, 
there exists a partial execution (s^, tUq) —>•••—> (s, m) such that 777(02 A c) is true 
and 777i(ei) = m(e 2 ). Because 777(c) is true, we can extend this partial execution to 
a partial execution (s^,777^) —>•••—> (s, m) — > (s 2 ,m 2 ), where 7772 = m, and obtain 
m 2 (c 2 ) is true and 777i(ei) = m 2 (e 2 ). 

• The last rule is rule 26 with s : br c t s 2 . There is a standard form proof of 
I \- p> (c 2 A ^c,e 2 )s whose last rule is 13, 14, or 22. By the induction hypothesis, 
there exists a partial execution (s^, tUq) —>•••—> (s, m) such that 777(02 A ->c) is true 
and 777i(ei) = m(e 2 ). Because 777(c) is false, we can extend this partial execution to 
a partial execution (s^,777^) —>•••—> (s, m) — > (s 2 ,m 2 ), where 7772 = m, and obtain 
m 2 (c 2 ) is true and 777i(ei) = m 2 (e 2 ). 

Lemma 3 Assume that for all (i)s G I, I h (i)s and for all (ci,ei)si > (c 2 ,e 2 )s 2 € i", 
/ h (ci,ei)si > (c 2 ,e 2 )s 2 . Assume a standard form proof of I h (ci,ei)si • t > (c 2 ,e 2 )s 2 
and a partial execution (s^,7?7^) —>•••—> (si,777i) such that mi(ci) is true. Also assume 
that I \- (c',e')si > (c,e)s and 7771(0') is true implies that there exists a partial execution 
(sq,171q) —>•••—> (5,777) such that 777(c) is true and mi(e') = 777(e). Then there exists a 
partial execution (s^, tUq) —>•••—> (s 2 , 777 2 ) such that m 2 (c 2 ) is true and 777i(ei) = m 2 (e 2 ). 



Proof: Consider the proof tree of / h (ci,ei)si • t > (c 2 ,e 2 )s 2 . Given a path in this tree 
from the root to a leaf, we can start at the root and compute the number of consecutive 
uses of rule 20 until the first use of a different rule. We call this number the case analysis 
number of the path. If, for example, the last rule in the proof is not a use of rule 20, then 
the root is not a use of rule 20 and, for all paths, the case analysis number is zero. The 
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proof is by induction on the maximum over all paths from the root to a leaf of the case 
analysis number of the path. 

Base: In this case the last rule of the proof is not 20. The only other rules that are of the 
correct form are rules 14, 22, and 21. We do a case analysis on the last rule of the proof: 

• The last rule is 14 or 22. By Lemma 2, there exists a partial execution {sq , tuq) — > 

• • • — > (s2, m2) such that 777-2(02) is true and mi(ei) = 1x12(02). 

• The last rule is 21, with i" h (ci,ei)si > (c2,e 2 )s2- Then by assumption, there 
exists a partial execution (s^itIq) —>•••—> (s2,iri2) such that 7772(02) is true and 
777i(ei) = m 2 (e 2 ). 

Induction: Assume that the proof has maximum case analysis number of k, where k 
is at least one, and the lemma holds for all proofs with maximum case analysis number 
less than k. In this case the last rule of the proof is 20 with c\ => c\ V c\, and proofs of 
/ \- (c\,ei)si ■ t > (c 2 ,e 2 )s2, I I - ( c i? e i) s i ' t > (c 2 ,e 2 )s2- Note that these proofs have a 
maximum case analysis number less than k. If we can show that either mi(c\) is true or 
777 2 (c^) is true, we can apply the induction hypothesis to one of the proofs. 

Note that c\ => c\\l c\ implies m\{c.\) => m\(c\) V m\{c\). Because m\(c\) is true, either 
m\(c\) is true or 777i(c^) is true. Then by the induction hypothesis, there exists a partial 
execution (s^,m^) —>•••—> (s2,777 2 ) such that 777-2(02) is true and m\{e,\) = 7772(e 2 ). 

Theorem 3 Assume that for all (i)s e I, I h (i)s and for all (ci,ei)si > (c 2 ,e 2 )s2 £ ^> 
/ h (ci, ei)si > (c 2 , e 2 )s 2 . Then for all standard form proofs of I h (ci, ei)si > (c 2 , e 2 )s 2 and 
/or a// partial executions {s^, tuq) —>•••—> (si, mi) 57<c/7 t/iat mi(ci) is true, t/iere exisfo a 
partial execution (s^, tUq) —>•••—> (S2, 7772) 57<c/7 /;/ia/; 7772(02) «5 true and mi(ei) = 7772(62). 

Proof: Induction on the length of the partial execution {s^, tuq) —>•••—> (si, mi). 
Base: If the length is 0, then s\ = s^ and pred(si) = 0. We do a case analysis of the last 
rule of the proof of I h (ci, ei)si > (c 2 , e 2 )s2- The only rules that are of the correct form 
are rules 13, 15, and 22. Because pred(si) = 0, rule 15 cannot be the last rule. 

• The last rule is 13 or 22. Then by Lemma 2, there exists a partial execution 
(s^, tUq) —>•••—> (s 2 , m 2 ) such that 1122(02) is true and mi(ei) = m 2 (e 2 ). 

Induction: In this case the partial execution of P is at least one step long, so we can 
write it as (s^, ttIq) —>•••—> (s, m) — > (si, mi). We do a case analysis of the last rule of 
the proof of I h (ci, ei)si > (c 2 , e 2 )s2- The only rules that are of the correct form are rules 
13, 15, and 22. 

• The last rule is 13 or 22. By Lemma 2, there exists a partial execution (s^, tUq) — > 

• • • — > (S2, m2) such that 1x12(02) is true and mi(ei) = 1712(02). 

• The last rule is 15. Because s € pred(si), there is a standard form proof of I h 
s(ci,ei)si > (c2,e 2 )s2- We do a case analysis of the last rule in this proof. Because 
the proof is in standard form, 22 is not the last rule. The only other rules that are 
of the correct form are 16, 17, 18, and 19. 
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— The last rule is 16, with s : nop Si. Then mi = m. By assumption m\{c\) 
is true, which implies that m(c\) is true. There is also a standard form proof 
of I \- (ci,ei)s • si > (c2,e2)s2- By Lemma 3, there exists a partial execution 
(sq,171q) —>•••—> (s2, 777-2) such that 1712(02) is true and m(ei) = 777-2(62), which 
implies that mi(ei) = 7772(62). 

— The last rule is 17, with s : tj «— e s\. Then mi = m[s; 1— » m(e)]. By assumption 
mi(ci) is true, which implies that m(ci[e/?j]) is true. There is also a standard 
form proof of I h (ci[e/t>],ei[e/t>])s • Si > (c 2 ,e 2 )s2- By Lemma 3, there exists 
a partial execution {sq,ttiq) —>•••—> (s2,ni2) such that 777-2(02) is true and 
m(ei[e/?j]) = 7712(62), which we can simplify to mi(ei) = 1112(02). 

— The last rule is 18, with s : br c Si £. Then m\ = m and m(c) is true. By 
assumption mi(ci) is true, which implies that m(c\ A c) is true. There is also 
a standard form proof of / h (c,\ A c, e\)s ■ S\ > (c 2 , e 2 )s2- By Lemma 3, there 
exists a partial execution {sl,m^) —>•••—> (s2,777 2 ) such that 1x12(02) is true 
and mi(ei) = m 2 (e 2 ). 

— The last rule is 19, with s : br c £ s x . Then rri\ = m and m(c) is false. By 
assumption m\(c\) is true, which implies that m(c\ A ->c) is true. There is also 
a standard form proof of I h (c,\ A ->c, e\)s ■ s\ > (C2, e2)s2- By Lemma 3, there 
exists a partial execution (s^,m^) —>•••—> (s2,m2) such that 1112(02) is true 
and mi(ei) = m 2 (e 2 ). 

4 Optimization Schemas 

We next present examples that illustrate how to prove the correctness of a variety of 
standard optimizations. Our goal is to establish a general schema for each optimization. 
The compiler would then use the schema to produce a correctness proof that goes along 
with each optimization. 

4.1 Dead Assignment Elimination 

The compiler can eliminate an assignment to a local variable if that variable is not used after 
the assignment. The proof schema is relatively simple: the compiler simply generates sim- 
luation invariants that assert the equality of corresponding live variables at corresponding 
points in the program. Figures 14 and 15 present an example that we use to illustrate the 
schema. This example continues the example introduced in Section 2. Figure 16 presents 
the invariants that the compiler generates for this example. 

Note that the set / of invariants contains no standard invariants. In general, dead 
assignment elimination requires only simulation invariants. The proofs of these invariants 
are simple; the only complication is the need to skip over dead assignments. Figure 17, 
which contains the proof tree for ((g P ,ip))4 P > ((g T ,i T ))4 T , illustrates this situation. 
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1 :i<-0 






2 :x^l 




3:y^2 





5 :i^i + 3 






6 : # «— 2 *i 



7 : exit 



5 :i^i + 3 






6 : g «— 2 *i 



7 : exit 





Figure 14: Program P Before Dead Assign- Figure 15: Program T After Dead Assign- 
ment Elimination ment Elimination 

I = {({gp,ip))4p > <(0t,«t))4t, (ip)$p > («t)5 t , («p)6p > (zt)6t, (#p)7 p > (#t)7 t } 



Figure 16: Invariants for Dead Assignment Elimination 



(9p) = (gr) =» (gp, 0) = (gr, 0) 

I\-{(gp,0))lp>{(g T ,0))lT 
I \- ((g P ,0))lp> 1t((9t,Jt))4t 

I \- {(g P ,0))lp> {(g T ,JT))^T 
I h {(g P ,0))lp ■ 2 P > ((ff T ,i r ))4 r 
J h lp((ff P , zp))2 p > ((gr, z r ))4 r 

j> ((ffp,ip))2p>((ffr,ir)) 4 r 

^ I- ((flp, ^p))2p • 3 P > {(gr, i T ))4 T 

I \- 2 P {(g P , i P ))3p > ((gr, z r ))4 r J h ((2 * i P , z P ))6 P • 4 P > ((2 * z T , i T ))6 T 



(ip)6 P > (z T )6 T e i", 
«p = «t => (2 * ip, ip) = (2 * i T , i T ) 



1 1- ((#p, «p))3p > ((#t, «t))4 t 7 h ((2 * i P , v))6p • 4 P > 6 T ({g T , «t))4 t 



J I" ((#p, «p))3p • 4p > ((gr, i T ))A T I \- ((2 * i P , z P ))6p • 4 P > ((g T , i T ))A T 



I \- 3_p((gp, i P ))4 P > ((gr, z r ))4 r / h 6p((^p, i P ))4 P > ((gr, z T ))4 T 

i>((#p,zp))4p>((# r ,z r ))4 r 



Figure 17: Proof Tree for I h ((gp, ip))4p > ((gr, ^t))4t 
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4.2 Branch Movement 

Our next optimization moves a conditional branch from the top of a loop to the bottom. 
The optimization is legal if the loop always executes at least once. This optimization is 
different from all the other optimizations we have discussed so far in that it changes the 
control flow. Figure 18 presents the program before branch movement; Figure 19 presents 
the program after branch movement. Figure 20 presents the set of invariants that the 
compiler generates for this example. 

Figure 23 presents the proof tree for i" h {gp)7p > (<?t)7t- One of the paths that the 
proof must consider is the path in the original program P from 1 P to A P to 7 p. No execution 
of P, of course, will take this path — the loop always executes at least once, and this path 
corresponds to the loop executing zero times. The fact that this path will never execute 
shows up as a false condition in the partial simulation invariant for P that is propagated 
from 1 P back to \p. The corresponding path in T that is used to prove / h (gp)7p> {gr)7r 
is the path from 1 T through 5 T , 6p, and 4 T to 7p- Although the values of gp and gp are not 
the same on the two paths, the fact that the condition in the partial simulation invariant 
from P is false enables the use of rule 13 at the leaf of the proof tree. Figure 21 presents 
the branch of the proof tree for this path. 




1 :i<-0 



4 : br i < 24 



5 :i^i + 3 






6 : g «— 2 *i 



7 : exit 






1 :^0 






/ 






5 :i^i + 3 














6 : g <— 2 *i 














4 : br i < 24 






_y \ 






7 : exit 



Figure 18: Program P Before Branch Figure 19: Program T After Branch Move- 
Movement ment 

1 = {(ip)5p > («t)5 t , (ip)Qp > («r)6r, (gp)7 P > (^t)7 t } 



Figure 20: Invariants for Branch Movement 
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Q > 24 => 3 > 24 A g P = 6 

I\-(Q> 24,g P )lp>(3> 24, 6) 1 T 

I \- (0 > 24, gp)l_p > l T (j T + 3 > 24, 2 * (i T + 3))5 T 

7 F (0 > 24, g P )lp > (i T + 3 > 24, 2 * (i T + 3))5~ 

I \- (0 > 24, ffp)l P > 5 T (^r > 24, 2 * z r )6 T 

/ h (0 > 24, g P )l P > (jr > 24, 2 * i T )6 T 

IV- (0 > 24,ffp)lp>6 r (z r > 24,# r )4 r 

J h (0 > 24,^p)lp > (i T > 24,g T )4 T 

/ I- (0 > 24,^p)lp > 4 T {g T )7 T 

/h(0>24,^p)lp>(^ T )7 T 

Jh(0>24,^p)lp-4p>^ r )7 

7hlp(zp>24,^p)4p>(^ T )7, 



T 
T 



Figure 21: Proof Tree 7Ti for i" h l P {i P > 24,g P )4 P > {g T )7r 

{ip)6p > {ir)§T E I, ip > 24 Aip = i T ^ (ir > 24 A2* i P = 2* i T ) 

I \- (i P > 24, 2 * i P )6 P • 4p > g > 24, 2 * i T )6 T 

IV- {i P > 24, 2 * y)6p • 4p > 6 r (z r > 24, # r )4 r 

IV- {i P > 24, 2 * i P )6 P • 4p > g > 24, g T )4 T 

I V- (i P > 24, 2 * i P )6 P • 4p > 4 T {g T )7 T 

IV- {i P > 24, 2 * zp)6p • 4p > (ff r )7 T 

/ V- 6 P {ip > 24,g P )4 P > {g T )7 T 

Figure 22: Proof Tree 7r 2 for / h 6p(ip > 24, #p)4p > {gr)^T 

7Tl 7T 2 

/h (ip> 24,g P )4 P [>{g T )7T 



IV- {i P > 24, ^p)4p • 7p > (^ T )7 T 

J V- 4 P {g P )7p > (ff T )7 T 

/ V- {g P )7 P t> {g T )7 T 

Figure 23: Proof Tree for I h (gp)7 P > {gr)^T 
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4.3 Induction Variable Elimination 

Our next optimization eliminates the induction variable i from the loop, replacing it with g. 
The correctness of this transformation depends on the invariant (gp = 2 * ip)4 P . Figure 24 
presents the program before induction variable elimination; Figure 25 presents the program 
after induction variable elimination. Figure 26 presents the set of invariants that the 
compiler generates for this example. These invariants characterize the relationship between 
the eliminated induction variable ip from the original program and the variable gr in 
the transformed program. Figure 27 presents the proof tree for I h (2 * ip)-4p > (gr)4:T', 
Figure 28 presents the proof tree for i" h (gp)7p > {gr)^T- 





1 : I : <- 






/ 






5 :i^i + 3 














6 : g «— 2 *i 














4 : br i < 24 






_y \ 






7 : exit 



1:^0 




5 : g <- g + Q 



4 : br g < 48 



7 : exit 



Figure 24: Program P Before Induction Figure 25: Program T After Induction 
Variable Elimination Variable Elimination 

I = {(gp = 2 * *p)4p, (2 * ip)5 P > (#t)5 t , (2 * ip)4 P > (g T )4r, {gp)7 P > {g T )7 T } 



Figure 26: Invariants for Induction Variable Elimination 
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(2 * ip)5p > (a , t)5t E 1 , 2 * i P = g T ^ 2 * (i P + 3) = gr + Q 



IV- (2*(z P + 3))5p- 


6p > (g T + 6)5 T 


IV- (2*(z P + 3))5p- 


■ 6 P > 5 T {g T )4 T 


7 1- (2*(i P + 3))5 F 


■ • 6p > (^r)4 T 


I h 5p(2 * i P )6 P > {gp)4 T 


IV- {2*i P )6p 


> (#t)4 t 


IV- (2*ip)6 P -4 


p > (g T )4 T 


I V- 6p(2 * i P )4 P > (^r)4r 



I V- (2 * ip)4p > (#t)4t 



Figure 27: Proof Tree for I V~ (2 * i P )4 P D> (#t)4t 

I V- (g P = 2 * ip)4 P , (2 * ip)4 P > (# r )4 r e 7, 
(yf P = 2 * zp A ip > 24 A 2 * i P = g T => (# T > 48 A #p = <?t) 



7h(zp 


>24,^p)4p-7p 


> (9t >48,g T )4 T 


7h 


(zp>24,^p)4p- 


1 P > 4 T {g T )7 T 


7h 


-{i P >24,g P )4p 


■7p> {g T )7 T 




7 h 4 P (#p)7p 


> {9t)7 t 



I V- (g P )7p > {g T )7 T 
Figure 28: Proof Tree for 7 h (gp)7p > {gr)7r 
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4.4 Loop Unrolling 

The next optimization unrolls the loop once. Figure 29 presents the program before loop 
unrolling; Figure 30 presents the program after unrolling the loop. Note that the loop 
unrolling transformation preserves the loop exit test; this test can be eliminated by the 
dead code elimination optimization discussed in Section 4.5. 



1:0<-O 




l:g<^0 




5 : 9 <- g + 6 



4 : br g < 48 



7 : exit 



2:g^g + Q 



3 : br g < 48 



5 : g<- # + 6 



4 : br g < 48 





Figure 29: Program P Before Loop Un- Figure 30: Program T After Loop Un- 
rolling rolling 

/ = {{g P %!2 = V g P %!2 = 6)4 P , {g P %!2 = 0, g P )b P > {g T )2 T , 
{g P %12 = 6,g P )4 P > (^ T )3 T , <(/ P %12 = 6,^ P )5 P > <(/ r )5 r , 
(^ P %12 = 0,^ P )4 P D> (^t)4t, {gp)7p > {gp)7p} 

Figure 31: Invariants for Loop Unrolling 

Figure 31 presents the set of invariants that the compiler generates for this example. 
Note that, unlike the simulation invariants in previous examples, these simulation invariants 
have conditions. The conditions are used to separate different executions of the same node 
in the original program. Some of the time, the execution at node 4 P corresponds to the 
execution at node 4 P , and other times to the execution at node 3 P . The conditions in 
the simulation invariants identify when, in the execution of the original program, each 
correspondence holds. For example, when g P %12 = 0, the execution at 4 P corresponds to 
the execution at 4 T ; when g P %12 = 6, the execution at 4 P corresponds to the execution at 
3 P . 

Figure 34 presents the proof tree for I h (g P )7 P > (s , t)7t- The key part of the proof 
is the use of the case analysis rule, rule 20. This rule is a key component of correctness 
proofs for transformations, like loop unrolling, that replicate code. 
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(g P %12 = 0, g P )4 P > (g T )4 T e I, g P %12 = A g P > 48 =» g P %12 = 0, 

ff P %12 = A g P > 48 A g P = g T =» (g T > 48 A g P = g T ) 

/ \- {g P %l2 = A g_p > 48, # P )4 P • 7 P > {g T > 48, g T )A T 

I \- {g P %12 = A # P > 48, g P )A P ■ 7 P > A T {g T )7 T 

I £ (gp%l2 = A # P > 48, g P )A P ■ 7 P > {g T )7 T 

Figure 32: Proof Tree tti for i" h (# P %12 = A g P > 48, # P )4 P • 7 P > (# t )7t 

/ \- {g P %12 = V # P %12 = 6)4 P , {g P %12 = 6, # P )4 P > (# T )3 r e /, 

(# P %12 = V # P %12 = 6) A (g P %12 + A g P > 48) => # P %12 = 6, 

(ff P %12 = V ff P %12 = 6) A (ff P %12 ^ A # P > 48) A # P = # r => (g T > 48 A g P = g T ) 

/ h (g P %12 ^ A g P > 48, g P )4 P • 7 P > (gr > 48, g T )3 T 

/ h (g P %12 ^ A ff P > 48, g P )A P ■ 7 P D> 3t(^t)7t 

/ \- {g P %12 ^ A # P > 48, g P )4 P ■ 7 P > <(/ r )7 r 

Figure 33: Proof Tree tt 2 for J h (# P %12 ^ A # P > 48, g P )4 P ■ 7 P > (# r )7 T 
7ri 7T 2 # P > 48 => (# P %12 = A g P > 48) V (g P %12 ^ A g P > 48) 



/ h (# P > 48, # P )4 P • 7 P > (# r )7 T 



I \- 4p{g P )7p > (^ T )7r 



/ h (# P )7 P > (^t)7t 
Figure 34: Proof Tree for I h (gp)7 P > {gr)^T 
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4.5 Dead Code Elimination 

Our next optimization is dead code elimination. We continue with our example by elim- 
inating the branch in the middle of the loop at node 3. Figure 35 presents the program 
before the branch is eliminated. The key property that allows the compiler to remove the 
branch is that g%12 = 6 A g < 48 at 3, which implies that g < 48 at 3. In other words, the 
condition in the branch is always true. Figure 36 presents the program after the branch 
is eliminated. Figure 37 presents the set of invariants that the compiler generates for this 
example. 




l:g^0 



2:g^g + 6 



3 : br g < 48 



5 : g<- g + Q 



4 : br g < 48 






l:g^0 



2:g^g + 6 



5 :g<-g + 6 



4 : br g < 48 




7 : exit 



Figure 35: Program P Before Dead Code Figure 36: Program T After Dead Code 
Elimination Elimination 

/ = {{g P %12 = 0Ag P < 48)2 P , {g P %12 = 6 A g P < 48)3 P , {g P %12 = 6Ag P < 48)5 P , 
(g P %12 = 0Ag P < 48)4 P , (g P )2 P > (g P )2 P , (# P )5 P > (g P )5 P , 
(g P )3 P > {g P )b P , (# P )4 P > (g P )± P , (g P )7 P > (^ P )7 P } 

Figure 37: Invariants for Dead Code Elimination 

Figure 40 presents the proof tree for i" h (i p )7 P > {ir)7r- One of the paths that the 
proof must consider is the potential loop exit in the original program P from 3 P to 7 P ; 
Figure 39 presents the branch of the proof tree that corresponds to this path. In fact, 
the loop always exits from 4 P , not 3 P . This fact shows up because the conjunction of the 
standard invariant (g P %12 = 6 A g P < 48)3 P with the condition g P > 48 from the partial 
simulation invariant for P at 3 P is false. The corresponding path in T that is used to prove 
I I - {ip)7p > {It)7t is the path from 5 P to 4 P to 7 P - Although the values of g P and g p 
are not the same on the two paths, the fact that the conjunction described above is false 
enables the use of rule 14 at the leaf of the proof tree. 



28 



(g P )4 P > {g T )4 T e I, 

9p = 9t A g P > 48 => (gr > 48 A g P = g r ) 

1^ {g P > 48, ff P )4p • 7 P > (gr > 48, ff r )4 r 

I \~ (9p > 48, £p)4 P • 1 P > 4 T {g T )7 T 

I\-{g P > 48, #p)4p • 7p > (^ T )7 T 

J h 4 P {g P )7p > {g T )7 T 

Figure 38: Proof Tree tti for / h 4 P {g P )7 P > {gr)^T 

I h (g P %12 = 6Ag P < 48)3 P , (#p)3 p > (g T )h T e I, 

g P %12 = G A g P < 48 A g P > 48 A g P = g T ^ (g T + 6 > 48 A g P = g T + 6) 

Ih{g P > 48, g P )3 P • 7p > (g T + 6 > 48, g T + 6)5 T 

I r- (gp > 48, ^ P )3p • 7p > 5p(^ t > 48, ff T )4 T 

I r- (gp > 48, ^p)3 p • 7p > (gr > 48, ff T )4 T 

/ I- (g P > 48, g P )3 P • 7p > 4 P {g T )7 T 

I \- lg P > 48, 0p)3p • 7p > (g T )7 T 



TT{g P > 48,^p)3p • 7p > {g T )7 
I \- 3p{g P )7 P > {g T )7 T 

Figure 39: Proof Tree 7T2 for / h 3p(gp)7p > {gr)^T 

I \- {g P )7 P > {g T )7 T 
Figure 40: Proof Tree for I h (gp)7p > {gr)^T 
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5 Termination Anomalies 

Throughout the paper so far, we have required that the transformed program simulate the 
original program in the sense that for every execution in the original program that reaches 
the exit node, there exists an execution in the transformed program that reaches the exit 
node such that the values of the observable variables are the same. 

There is, however, an anomaly associated with this notion of simulation. What happens 
if the original program contains an infinite loop? Then any program simulates the original 
program. One can imagine that programmers might like to have stronger guarantees. 

One option is to require also that the original program simulate the transformed pro- 
gram. If the two programs simulate each other, the transformed program terminates if 
and only if the original program terminates. And if they terminate, they terminate with 
identical values in corresponding observable values. We anticipate that this will be a good 
solution in practice. 

There is, however, a potential anomaly associated with this approach. The logics for 
proving simulation invariants are based on notions of partial correctness. For some pro- 
grams, it is impossible to use the logic to prove that they simulate each other, even if they 
both terminate with the same result. Consider the two programs in Figures 41 and 42 that 
compute g = 48. Using the logic presented in Section 3.4, it is not possible to prove that the 
iterative program in Figure 41 simulates the program in Figure 42. Roughly speaking, the 
problem is that the logic cannot prove that the loop in the iterative program terminates. 




l:g^0 



5 :g <- g + 6 



l:g^4S 



4 : br g < 48 



2 : exit 



7 : exit 



Figure 41: Iterative Program to Compute Figure 42: Closed Form Program to Com- 
g = 48 pute g = 48 

We do not anticipate that this anomaly will prove to be a problem in practice, because 
the overwhelming majority of compiler transformations do not eliminate or introduce loops. 
If it does turn out to be a problem in practice, the solution is to augment the logic so that 
it can prove that loops terminate. 

6 Code Generation 

In principle, we believe that it is possible to produce a proof that the final object code 
correctly implements the original program. For engineering reasons, however, we designed 
the proof system to work with a standard intermediate format based on control flow graphs. 
The parser, which produces the initial control flow graph, and the code generator, which 
generates object code from the final control flow graph, are therefore potential sources 
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of uncaught errors. We believe it should be straightforward, for reasonable languages, to 
produce a standard parser that is not a serious source of errors. It is not so obvious how 
the code generator can be made simple enough to be reliable. 

Our goal is make the step from the final control flow graph to the generated code be 
as small as possible. Ideally, each node in the control flow graph would correspond to 
a single instruction in the generated code. To achieve this goal, it must be possible to 
express the result of complicated, machine-specific code generation algorithms (such as 
register allocation and instruction selection) using control flow graphs. After the compiler 
applies these algorithms, the final control flow graph would be structured in a stylized 
way appropriate for the target architecture. The code generator for the target architecture 
would accept such a control flow graph as input and use a simple translation algorithm to 
produce the final object code. 

With this approach, we anticipate that code generators can be made approximately as 
simple as proof checkers. We therefore anticipate that it will be possible to build standard 
code generators with an acceptable level of reliability for most users. However, we would 
once again like to emphasize that it should be possible to build a framework in which the 
compilation is checked from source code to object code. 

In the following two sections, we first present an approach for a simple RISC instruction 
set, then discuss an approach for more complicated instruction sets. 

6.1 A Simple RISC Instruction Set 

For a simple RISC instruction set, the key idea is to introduce special variables that the 
code generator interprets as registers. The control flow graph is then transformed so that 
each node corresponds to a single instruction in the generated code. We first consider 
assignment nodes. 

• If the destination variable is a register variable, the source expression must be one of 
the following: 

— A non-register variable. In this case the node corresponds to a load instruction. 

— A constant. In this case the node corresponds to a load immediate instruction. 

— A single arithmetic operation with register variable operands. In this case the 
node corresponds to an arithmetic instruction that operates on the two source 
registers to produce a value that is written into the destination register. 

— A single arithmetic operation with one register variable operand and one con- 
stant operand. In this case the node corresponds to an arithmetic instruction 
that operates on one source register and an immediate constant to produce a 
value that is written into the destination register. 

• If the destination variable of an assignment node is a non-register variable, the source 
expression must consist of a register variable, and the node corresponds to a store 
instruction. 

It is possible to convert assignment nodes with arbitrary expressions to this form. The first 
step is to flatten the expression by introducing temporary variables to hold the intermediate 
values computed by the expression. Additional assignment nodes transfer these values to 
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the new temporary variables. The second step is to use a register allocation algorithm to 
transform the control flow graph to fit the form described above. 

We next consider conditional branch nodes. If the condition is the constant true or false, 
the node corresponds to an unconditional branch instruction. Otherwise, the condition 
must compare a register variable with zero so that the instruction corresponds either to a 
branch if zero instruction or a branch if not zero instruction. 

6.2 More Complex Instruction Sets 

Many processors offer more complex instructions that, in effect, do multiple things in a 
single cycle. In the ARM instruction set, for example, the execution of each instruction 
may be predicated on several condition codes. ARM instructions can therefore be modeled 
as consisting of a conditional branch plus the other operations in the instruction. The x86 
instruction set has instructions that assign values to several registers. 

We believe the correct approach for these more complex instruction sets is to let the 
compiler writer extend the possible types of nodes in the control flow graph. The semantics 
of each new type of node would be given in terms of the base nodes in standard control 
flow graphs. We illustrate this approach with an example. 

For instruction sets with condition codes, the programmer would define a new variable 
for each condition code and new assignment nodes that set the condition codes appro- 
priately. The semantics of each new node would be given as a small control flow graph 
that performed the assignment, tested the appropriate conditions, and set the appropriate 
condition code variables. If the instruction set also has predicated execution, the control 
flow graph would use conditional branch nodes to check the appropriate condition codes 
before performing the instruction. 

Each new type of node would come with proof rules automatically derived from its 
underlying control flow graph. The proof checker could therefore verify proofs on control 
flow graphs that include these types of nodes. The code generator would require the 
preceding phases of the compiler to produce a control flow graph that contained only those 
types of nodes that translate directly into a single instruction on the target architecture. 
With this approach, all complex code generation algorithms could operate on control flow 
graphs, with their results checked for correctness. 

7 Related Work 

Most existing research on compiler correctness has focused on techniques that deliver a 
compiler guaranteed to operate correctly on every input program [5]; we call such a com- 
piler a totally correct compiler. A credible compiler, on the other hand, is not necessarily 
guaranteed to operate correctly on all programs — it merely produces a proof that it has 
operated correctly on the current program. 

In the absence of other differences, one would clearly prefer a totally correct compiler 
to a credible compiler. After all, the credible compiler may fail to compile some programs 
correctly, while the totally correct compiler will always work. But the totally correct 
compiler approach imposes a significant pragmatic drawback: it requires the source code of 
the compiler, rather than its output, to be proved correct. So programmers must express 
the compiler in a way that is amenable to these correctness proofs. In practice this invasive 
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constraint has restricted the compiler to a limited set of source languages and compiler 
algorithms. Although the concept of a totally correct compiler has been around for many 
years, there are, to our knowledge, no totally correct compilers that produce close to 
production-quality code for realistic programming languages. Credible compilation offers 
the compiler developer much more freedom. The compiler can be developed in any language 
using any methodology and perform arbitrary transformations. The only constraint is that 
the compiler produce a proof that its result is correct. 

The concept of credible compilers has also arisen in the context of compiling synchronous 
languages [3, 7]. Our approach, while philosophically similar, is technically much different. 
It is designed for standard imperative languages and therefore uses drastically different 
techniques for deriving and expressing the correctness proofs. 

We often are asked the question "How is your approach different from proof-carrying 
code [6]?" 1 In our view, credible compilers and proof-carrying code are orthogonal concepts. 
Proof-carrying code is used to prove properties of one program, typically the compiled 
program. Credible compilers establish a correspondence between two programs: an original 
program and a compiled program. Given a safe programming language, a credible compiler 
will produce guarantees that are stronger than those provided by typical applications of 
proof-carrying code. So, for example, if the source language is type safe and a credible 
compiler produces a proof that the compiled program correctly implements the original 
program, then the compiled program is also type safe. 

But proof-carrying code can, in principle, be used to prove properties that are not 
visible in the semantics of the language. For example, one might use proof-carrying code 
to prove that a program does not execute a sequence of instructions that may damage the 
hardware. Because most languages simply do not deal with the kinds of concepts required 
to prove such a property as a correspondence between two programs, credible compilation 
is not particularly relevant to these kinds of problems. 

8 Impact of Credible Compilation 

We next discuss the potential impact of credible compilation. We consider five areas: 
debugging compilers, increasing the flexibility of compiler development, just-in-time com- 
pilers, concept of an open compiler, and the relationship of credible compilation to building 
custom compilers. 

8.1 Debugging Compilers 

Compilers are notoriously difficult to build and debug. In a large compiler, a surprising 
part of the difficulty is simply recognizing incorrectly generated code. The current state of 
the art is to generate code after a set of passes, then test that the generated code produces 
the same result as the original code. Once a piece of incorrect code is found, the developer 
must spend time tracing the bug back through layers of passes to the original source. 

Requiring the compiler to generate a proof for each transformation will dramatically 
simplify this process. As soon as a pass operates incorrectly, the developer will immediately 
be directed to the incorrect code. Bugs can be found and eliminated as soon as they occur. 



1 Proof-carrying code is code augmented with a proof that the code satisfies safety properties such as 
type safety or the absence of array bounds violations. 
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8.2 Flexible Compiler Development 

It is difficult, if not impossible, to eliminate all of the bugs in a large software system 
such as a compiler. Over time, the system tends to stabilize around a relatively reliable 
software base as it is incrementally debugged. The price of this stability is that people 
become extremely reluctant to change the software, either to add features or even to fix 
relatively minor bugs, for fear of inadvertantly introducing new bugs. At some point the 
system becomes obsolete because the developers are unable to upgrade it quickly enough 
for it to stay relevant. 

Credible compilation, combined with the standard organization of the compiler as a 
sequence of passes, promises to make it possible to continually introduce new, unreliable 
code into a mature compiler without compromising functionality or reliability. Consider 
the following scenario. Working under deadline pressure, a compiler developer has come up 
a prototype implementation of a complex transformation. This transformation is of great 
interest because it dramatically improves the performance of several SPEC benchmarks. 
But because the developer cut corners to get the implementation out quickly, it is unreliable. 
With credible compilation, this unreliability is not a problem at all — the transformation is 
introduced into the production compiler as another pass, with the compiler driver checking 
the correctness proof and discarding the results if it didn't work. The compiler operates 
as reliably as it did before the introduction of the new pass, but when the pass works, it 
generates much better code. 

It is well known that the effort required to make a compiler work on all conceivable 
inputs is much greater than the effort required to make the compiler work on all likely 
inputs. Credible compilation makes it possible to build the entire compiler as a sequence of 
passes that work only for common or important cases. Because developers would be under 
no pressure to make passes work on all cases, each pass could be hacked together quickly 
with little testing and no complicated code to handle exceptional cases. The result is that 
the compiler would be much easier and cheaper to build and much easier to target for good 
performance on specific programs. 

A final extrapolation is to build speculative transformations. The idea is that the 
compiler simply omits the analysis required to determine if the transformation is legal. It 
does the transformation anyway and generates a proof that the transformation is correct. 
This proof is valid, of course, only if the transformation is correct. The proof checker filters 
out invalid transformations and keeps the rest. 

This approach shifts work from the developer to the proof checker. The proof checker 
does the analysis required to determine if the transformation is legal, and the developer 
can focus on the transformation and the proof generation, not on writing the analysis code. 

8.3 Just-In-Time Compilers 

The increased network interconnectivity resulting from the deployment of the Internet has 
enabled and promoted a new way to distribute software. Instead of compiling to native 
machine code that will run only on one machine, the source program is compiled to a 
portable byte code. An interpreter executes the byte code. 

The problem is that the interpreted byte code runs much slower than native code. The 
proposed solution is to use a just-in-time compiler to generate native code either when the 
byte code arrives or dynamically as it runs. Dynamic compilation also has the advantage 
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that it can use dynamically collected profiling information to drive the compilation process. 

Note, however, that the just-in-time compiler is another complex, potentially erroneous 
software component that can affect the correct execution of the program. If a compiler 
generates native code, the only subsystems that can change the semantics of the native 
code binary during normal operation are the loader, dynamic linker, operating system 
and hardware, all of which are relatively static systems. An organization that is shipping 
software can generate a binary and test it extensively on the kind of systems that its 
customers will use. If the customer finds an error, the organization can investigate the 
problem by running the program on a roughly equivalent system. 

But with dynamic compilation, the compiled code constantly changes in a way that may 
be very difficult to reproduce. If the dynamic compiler incorrectly compiles the program, it 
may be extremely difficult to reproduce the conditions that caused it to fail. This additional 
complexity in the compilation approach makes it more difficult to build a reliable compiler. 
It also makes it difficult to assign blame for any failure. When an error shows up, it could 
be either the compiler or the application. The organizations that built each product tend 
to blame each other for the error, and neither one is motivated to work hard to find and 
fix the problem. The end result is that the total system stays broken. 

Credible compilation can eliminate this problem. If the dynamic compiler emits a 
proof that it executed correctly, the run-time system can check the proof before accepting 
the generated code. All incorrect code would be filtered out before it caused a problem. 
This approach restores the reliability properties of distributing native code binaries while 
supporting the convenience and flexibility of dynamic compilation and the distribution of 
software in portable byte-code format. 

8.4 An Open Compiler 

We believe that credible compilers will change the social context in which compilers are 
built. Before a developer can safely integrate a pass into the compiler, there must be some 
evidence that pass will work. But there is currently no way to verify the correctness of the 
pass. Developers are therefore typically reduced to relying on the reputation of the person 
that produced the pass, rather than on the trustworthiness of the code itself. In practice, 
this means that the entire compiler is typically built by a small, cohesive group of people in 
a single organization. The compiler is closed in the sense that these people must coordinate 
any contribution to the compiler. 

Credible compilation eliminates the need for developers to trust each other. Anyone 
can take any pass, integrate into their compiler, and use it. If a pass operates incorrectly, 
it is immediately apparent, and the compiler can discard the transformation. There is no 
need to trust anyone. The compiler is now open and anyone can contribute. Instead of 
relying on a small group of people in one organization, the effort, energy, and intelligence 
of every compiler developer in the world can be productively applied to the development 
of one compiler. 

The keys to making this vision a reality are a standard intermediate representation, 
logics for expressing the proofs, and a verifier that checks the proofs. The representation 
must be expressive and support the range of program representations required for both 
high level and low level analyses and transformations. Ideally, the representation would be 
extensible, with developers able to augment the system with new constructs and new axioms 
that characterize these constructs. The verifier would be a standard piece of software. We 
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expect several independent verifiers to emerge that would be used by most programmers; 
paranoid programmers can build their own verifier. It might even be possible to do a formal 
correctness proof of the verifier. 

Once this standard infrastructure is in place, we can leverage the Internet to create a 
compiler development community. One could imagine, for example, a compiler development 
web portal with code transformation passes, front ends, and verifiers. Anyone can download 
a transformation; anyone can use any of the transformations without fear of obtaining an 
incorrect result. Each developer can construct his or her own custom compiler by stringing 
together a sequence of optimization passes from this web site. One could even imagine 
an intellectual property market emerging, as developers license passes or charge electronic 
cash for each use of a pass. In fact, future compilers may consist of a set of transformations 
distributed across multiple web sites, with the program (and its correctness proofs) flowing 
through the sites as it is optimized. 

8.5 Custom Compilers 

Compilers are traditionally thought of and built as general-purpose systems that should 
be able to compile any program given to them. As a consequence, they tend to contain 
analyses and transformations that are of general utility and almost always applicable. Any 
extra components would slow the compiler down and increase the complexity. 

The problem with this situation is that general techniques tend to do relatively pedes- 
trian things to the program. For specific classes of programs, more specialized analyses and 
transformations would make a huge difference [9, 8, 1]. But because they are not generally 
useful, they don't make it into widely used compilers. 

We believe that credible compilation can make it possible to develop lots of different 
custom compilers that have been specialized for specific classes of applications. The idea 
is to make a set of credible passes available, then allow the compiler builder to combine 
them in arbitrary ways. Very specialized passes could be included without threatening the 
stability of the compiler. One could easily imagine a range of compilers quickly developed 
for each class of applications. 

It would even be possible extrapolate this idea to include optimistic transformations. In 
some cases, it is difficult to do the analysis required to perform a specific transformation. In 
this case, the compiler could simply omit the analysis, do the transformation, and generate 
a proof that would be correct if the analysis would have succeeded. If the transformation 
is incorrect, it will be filtered out by the compiler driver. Otherwise, the transformation 
goes through. 

This example of optimistic transformations illustrates a somewhat paradoxical property 
of credible compilation. Even though credible compilation will make it much easier to 
develop correct compilers, it also makes it practical to release much buggier compilers. In 
fact, as described below, it may change the reliability expectations for compilers. 

Programmers currently expect that the compiler will work correctly for every program 
that they give it. And you can see that something very close to this level of reliability is 
required if the compiler fails silently when it fails — it is very difficult for programmers to 
build a system if there is a reasonable probability that a given error can be caused by the 
compiler and not the application. 

But credible compilation completely changes the situation. If the programmer can 
determine whether or not the the compiler operated correctly before testing the program, 
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the development process can tolerate a compiler that occasionally fails. 

In this scenario, the task of the compiler developer changes completely. He or she is 
no longer responsible for delivering a program that works almost all of the time. It is 
enough to deliver a system whose failures do not significantly hamper the development of 
the system. There is little need to make very uncommon cases work correctly, especially if 
there are known work-arounds. The result is that compiler developers can be much more 
aggressive — the length of the develoment cycle will shrink and new techniques will be 
incorporated into production compilers much more quickly. 

9 Conclusions 

Most research on compiler correctness has focused on obtaining a compiler that is guaran- 
teed to generate correct code for every input program. This paper presents a less ambitious, 
but hopefully much more practical approach: require the compiler to generate a proof that 
the generated code correctly implements the input program. Credible compilation, as we 
call this approach, gives the compiler developer maximum flexibility, helps developers find 
compiler bugs, and eliminates the need to trust the developers of compiler passes. 

This paper presents logics that a compiler can use to prove that its transformations are 
correct, and provides examples that illustrate how the proofs would work for several stan- 
dard transformations. The logics support the standard two-phase approach to optmization: 
there is a logic that the compiler can use to prove that its analysis results are correct, and a 
logic that the compiler can use to prove that the transformed program correctly implements 
the original program. 

This paper marks the beginning of the research. Our future plans include integrat- 
ing techniques for handling pointers, dynamic memory allocation, and dynamic method 
dispatch into the framework. We also intend to implement a credible compiler. This im- 
plementation will provide valuable insight into the level of performance achievable with a 
credible compiler and the size of the correctness proofs. 

In a broader context, humans evolved in small groups characterized by deep, lifelong 
personal relationships based on mutual familiarity and trust. But the major changes in 
the organization of human society — agriculture, urbanization, the industrial revolution, 
and telecommunications — have all changed the human experience towards ever more 
ephemeral, anonymous interactions with larger groups of people. A global computer net- 
work and the concommitant rise of a society organized primarily around information will 
accelerate this trend with a vengeance. As people interact increasingly with and through 
networked computers instead of other people, we need a replacement for the trust that 
comes with personal relationships. One possible replacement, at least for relationships 
based primarily on information manipulation, is to augment information with evidence 
that it is in some sense correct. This approach decouples the trustworthiness of the infor- 
mation from its source, eliminating the need to trust the entities with whom one interacts. 
Credible compilers are one concrete example of this principle. 
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